AMENDMENTS TO THE CLAIMS 

1. (Currently Amended) A method of proving entity membership in a nested group, wherein a 
presenter of credentials that requests one or more resources to which access is so controlled by a 
recipient of credentials so as to make them available to members of the nested group p e rforms th e 
step of presenting presents to a the recipient of credentials one or more chains of group 
credentials that prove the presenter's membership in the nested group . 

2. (Original) The method of claim 1, wherein one of said chains of group credentials comprise 
one or more proofs of group membership. 

3. (Original) The method of claim 2, wherein said proofs of group membership comprise one or 
more group membership certificates. 

4. (Original) The method of claim 2, wherein said proofs of group membership comprise one or 
more group membership lists. 

5. (Original) The method of claim 1, wherein one of said chains of group credentials comprise 
one or more proofs of group non-membership. 

6. (Original) The method of claim 5, wherein said proofs of group non-membership comprise 
one or more group non-membership certificates. 

7. (Original) The method of claim 5, wherein said proofs of group non-membership comprise 
one or more group membership lists. 

8. (Original) The method of claim 1, wherein said recipient is a resource server. 

9. (Original) The method of claim 1, wherein said recipient is an on-line group server. 

10. (Original) The method of claim 1, wherein said recipient is an on-line revocation server. 

1 1 . (Original) The method of claim 1, wherein said recipient is a client. 

12. (Currently Amended) A method of proving e ntity non-membership in a nested group, 
wherein a presenter of credentials that requests one or more resources to which access is so 
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controlled by a recipient of credentials so as to make them available to non-members of the nested 
group p e rforms th e st e p of pr e s e nting presents to a the recipient of credentials one or more 
chains of group credentials that prove the presenter's non-membership in the nested group . 

13. (Original) The method of claim 12, wherein one of said chains of group credentials comprise 
one or more proofs of group membership. 

14. (Original) The method of claim 13, wherein said proofs of group membership comprise one 
or more group membership certificates. 

15. (Original) The method of claim 13, wherein said proofs of group membership comprise one 
or more group membership lists. 

16. (Original) The method of claim 12, wherein one of said chains of group credentials comprise 
one or more proofs of group non-membership. 

17. (Original) The method of claim 16, wherein said proofs of group non-membership comprise 
one or more group non-membership certificates. 

18. (Original) The method of claim 16, wherein said proofs of group non-membership comprise 
one or more group membership lists. 

19. (Original) The method of claim 12, wherein said recipient is a resource server. 

20. (Original) The method of claim 12, wherein said recipient is an on-line group server. 

21. (Original) The method of claim 12, wherein said recipient is an on-line revocation server. 

22. (Original) The method of claim 12, wherein said recipient is a client. 

23. (Currently Amended) A computer system wherein a presenter of credentials that requests 
one or more resources to which access is so controlled by a recipient of credentials so as to make 
them available to members of a nested group presents to a die recipient of credentials one or 
more chains of group credentials to prove e ntity the presenter's membership in a the nested 
group. 
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24. (Original) The system of claim 23, wherein one of said chains of group credentials comprise 
one or more proofs of group membership. 

25. (Original) The system of claim 24, wherein said proofs of group membership comprise one 
or more group membership certificates. 

26. (Original) The system of claim 24, wherein said proofs of group membership comprise one 
or more group membership lists. 

27. (Original) The system of claim 23, wherein one of said chains of group credentials comprise 
one or more proofs of group non-membership. 

28. (Original) The system of claim 27, wherein said proofs of group non-membership comprise 
one or more group non-membership certificates. 

29. (Original) The system of claim 27, wherein said proofs of group non-membership comprise 
one or more group membership lists. 

30. (Original) The system of claim 23, wherein said recipient is a resource server. 

31. (Original) The system of claim 23, wherein said recipient is an on-line group server. 

32. (Original) The system of claim 23, wherein said recipient is an on-line revocation server. 

33. (Original) The system of claim 23, wherein said recipient is a client. 

34. (Currently Amended) A computer system wherein a presenter of credentials that requests 
one or more resources to which access is so controlled by a recipient of credentials so as to make 
them available to non-members of a nested group presents to a the recipient of credentials one or 
more chains of group credentials to prove entity the presenter's non-membership in a the 
nested group. 

35. (Original) The system of claim 34, wherein one of said chains of group credentials comprise 
one or more proofs of group membership. 
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36. (Original) The system of claim 35, wherein said proofs of group membership comprise one 
or more group membership certificates. 

37. (Original) The system of claim 35, wherein said proofs of group membership comprise one 
or more group membership lists. 

38. (Original) The system of claim 34, wherein one of said chains of group credentials comprise 
one or more proofs of group non-membership. 

39. (Original) The system of claim 38, wherein said proofs of group non-membership comprise 
one or more group non-membership certificates. 

40. (Original) The system of claim 38, wherein said proofs of group non-membership comprise 
one or more group membership lists. 

41. (Original) The system of claim 34, wherein said recipient is a resource server. 

42. (Original) The system of claim 34, wherein said recipient is an on-line group server. 

43. (Original) The system of claim 34 5 wherein said recipient is an on-line revocation server. 

44. (Original) The system of claim 34, wherein said recipient is a client. 

45. (Currently Amended) A method of requesting one or more resources from a server 
operating a client device on a computer network, in which access to said resources is so 
controlled by said client device requesting a service from a server and so as to make them 
available to members of a nested group, the method comprising performing the steps of : 

A. obtaining one or more chains of group credentials to provid e that prove client 
membership in a the nested group, and 

B. transmitting pr e senting to the server a request for one or more of the s e rvice one 
or more resources , said request including the one or more chains of group credentials that 
prove membership in the nested group . 

46. (Original) The method of claim 45, wherein one of said chains of group credentials comprise 
one or more proofs of group membership. 
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47. (Original) The method of claim 46, wherein said proofs of group membership comprise one 
or more group membership certificates. 

48. (Original) The method of claim 46, wherein said proofs of group membership comprise one 
or more group membership lists. 

49. (Original) The method of claim 45, wherein one of said chains of group credentials comprise 
one or more proofs of group non-membership. 

50. (Original) The method of claim 49, wherein said proofs of group non-membership comprise 
one or more group non-membership certificates. 

5 1 . (Original) The method of claim 49, wherein said proofs of group non-membership 
comprise one or more group membership lists. 

52. (Currently Amended) A method of requesting one or more resources from a server 
op e rating a cli e nt d e vic e on a computer network, in which access to said resources is so 
controlled by said cli e nt d e vic e r e qu e sting a s e rvic e from a server and so as to make them 
available to non-members of a nested group, the method comprising performing the steps of : 

A. obtaining one or more chains of group credentials to provide that prove client 
non-membership in a the nested group, and 

B. transmitting presenting to the server a request for one or more of the service one 
or more resources , said request including the one or more chains of group credentials that 
prove non-membership in the nested group . 

53. (Original) The method of claim 52, wherein one of said chains of group credentials comprise 
one or more proofs of group membership. 

54. (Original) The method of claim 53, wherein said proofs of group membership comprise one 
or more group membership certificates. 

55. (Original) The method of claim 53, wherein said proofs of group membership comprise one 
or more group membership lists. 
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56. (Original) The method of claim 52, wherein one of said chains of group credentials comprise 
one or more proofs of group non-membership. 

57. (Original) The method of claim 56, wherein said proofs of group non-membership comprise 
one or more group non-membership certificates. 

58. (Original) The method of claim 56, wherein said proofs of group non-membership 
comprise one or more group membership lists. 

59. (Currently Amended) A client device on a computer network , said client device 
configured for requesting a s e rvic e one or more resources from a server on the network, in 
which access to said resources is so controlled by said server so as to make them available to 
members of a nested group , said client device comprising: 

A. means for obtaining one or more chains of group credentials te that prove client 
membership in a the nested group, and 

B. means for transmitting pr e s e nting to the server a request for one or more of the 
s e rvic e one or more resources, said request including the one or more chains of group 
credentials that prove client membership in the nested group . 

60. (Original) The client device of claim 59, wherein one of said chains of group credentials 
comprise one or more proofs of group membership. 

61. (Original) The client device of claim 60, wherein said proofs of group membership comprise 
one or more group membership certificates. 

62. (Original) The client device of claim 60, wherein said proofs of group membership comprise 
one or more group membership lists. 

63. (Original) The client device of claim 59, wherein one of said chains of group credentials 
comprise one or more proofs of group non-membership. 

64. (Original) The client device of claim 63, wherein said proofs of group nonmembership 
comprise one or more group non-membership certificates. 
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65. (Original) The client device of claim 63, wherein said proofs of group nonmembership 
comprise one or more group membership lists. 

66. (Currently Amended) A client device on a computer network , said client device 
configured for requesting a s e rvic e one or more resources from a server on the network, in 
which access to said resources is so controlled by said server so as to make them available to 
non-members of a nested group , said client device comprising: 

A. means for obtaining one or more chains of group credentials te that prove client 
non-membership in a the nested group, and 

B. means for transmitting presenting to the server a request for one or more of the 
service one or more resources , said request including the one or more chains of group 
credentials that prove client non-membership in the nested group . 

67. (Original) The client device of claim 66, wherein one of said chains of group credentials 
comprise one or more proofs of group membership. 

68. (Original) The client device of claim 67, wherein said proofs of group membership comprise 
one or more group membership certificates. 

69. (Original) The client device of claim 67, wherein said proofs of group membership comprise 
one or more group membership lists. 

70. (Original) The client device of claim 66, wherein one of said chains of group credentials 
comprise one or more proofs of group non-membership. 

71. (Original) The client device of claim 70, wherein said proofs of group nonmembership 
comprise one or more group non-membership certificates. 

72. (Original) The client device of claim 70, wherein said proofs of group nonmembership 
comprise one or more group membership lists. 

73. (Currently Amended) A method for operating a resource server on a computer network, 
said resource server configured to controlling control access to one or more resources and 
provide access thereto to members of a nested group, by a plurality of cli e nt devices the 
method comprising: and performing the st e ps of: 
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A. acc e pting receiving a resource^access r e qu e sts request from the a client d e vic e s , 
said eaeh request comprising including one or more chains of group credentials proving client 
membership in a the nested group, 

B. validating the one or more chains of group credentials, and 

C. if the one or more chains of group credentials are determined to be valid, 
authorizing providing the requested access to the client . 

74. (Original) The method of claim 73, wherein one of said chains of group credentials comprise 
one or more proofs of group membership. 

75. (Original) The method of claim 74, wherein said proofs of group membership comprise one 
or more group membership certificates. 

76. (Original) The method of claim 74, wherein said proofs of group membership comprise one 
or more group membership lists. 

77. (Original) The method of claim 73, wherein one of said chains of group credentials comprise 
one or more proofs of group non-membership. 

78. (Original) The method of claim 77, wherein said proofs of group non-membership comprise 
one or more group non-membership certificates. 

79. (Original) The method of claim 77, wherein said proofs of group non-membership 
comprise one or more group membership lists. 

80. (Currently Amended) A method for operating a resource server on a computer network, 
said resource server configured to controlling control access to one or more resources and 
provide access thereto to non-members of a nested group, by a plurality of cli e nt d e vic e s the 
method comprising: and p e rforming th e st e ps of: 

A. acc e pting receiving a resourceiaccess r e quests request from the a client d e vic e s , 
said eaeh request comprising including one or more chains of group credentials proving client 
non-membership in a the nested group, 

B. validating the one or more chains of group credentials, and 
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C. if the one or more chains of group credentials are determined to be valid, 
authorizing providing the requested access to the client . 

81. (Original) The method of claim 80, wherein one of said chains of group credentials comprise 
one or more proofs of group membership. 

82. (Original) The method of claim 81, wherein said proofs of group membership comprise one 
or more group membership certificates. 

83. (Original) The method of claim 81, wherein said proofs of group membership comprise one 
or more group membership lists. 

84. (Original) The method of claim 80, wherein one of said chains of group credentials comprise 
one or more proofs of group non-membership. 

85. (Original) The method of claim 84, wherein said proofs of group non-membership comprise 
one or more group non-membership certificates. 

86. (Original) The method of claim 84, wherein said proofs of group non-membership 
comprise one or more group membership lists. 

87. (Currently Amended) A method for operating a resource server on a computer network, 
said resource server configured to controlling control access to one or more resources and 
provide access thereto to members of a nested group, by a plurality of cli e nt d e vic e s the 
method comprising: and p e rforming th e st e ps of: 

A. means for acc e pting receiving a resource^access r e qu e sts request from the a client 
d e vic e s , said eaeh request comprising including one or more chains of group credentials 
proving client membership in a the nested group, 

B. means for validating the one or more chains of group credentials, and 

C. means for if th e chains of group cr e d e ntials ar e valid, authorizing providing the 
requested access to the client if the one or more chains of group credentials are determined to 
be valid . 

88. (Original) The resource server of claim 87, wherein one of said chains of group credentials 
comprise one or more proofs of group membership. 

FHBoston/1 03 1123.1 

10 




89. (Original) The resource server of claim 88, wherein said proofs of group membership 
comprise one or more group membership certificates. 

90. (Original) The resource server of claim 88, wherein said proofs of group membership 
comprise one or more group membership lists. 

91. (Original) The resource server of claim 87, wherein one of said chains of group credentials 
comprise one or more proofs of group non-membership. 

92. (Original) The resource server of claim 91, wherein said proofs of group nonmembership 
comprise one or more group non-membership certificates. 

93. (Original) The resource server of claim 91, wherein said proofs of group nonmembership 
comprise one or more group membership lists. 

94. (Currently Amended) A method for operating a resource server on a computer network, 
said resource server configured to controlling control access to one or more resources and 
provide access thereto to non-members of a nested group, by a plurality of cli e nt d e vic e s the 
method comprising: and performing the steps of: 

A. means for accepting receiving a resource^access reque s ts request from the a client 
devices , said eaeh request comprising including one or more chains of group credentials 
proving client non-membership in a the nested group, 

B. means for validating the one or more chains of group credentials, and 

C. means for if the chains of group cred e ntials ar e valid, authorizing providing the 
requested access to the client if the one or more chains of group credentials are determined to 
be valid . 

95. (Original) The resource server of claim 94, wherein one of said chains of group credentials 
comprise one or more proofs of group membership. 

96. (Original) The resource server of claim 95, wherein said proofs of group membership 
comprise one or more group membership certificates. 

97. (Original) The resource server of claim 95, wherein said proofs of group membership 
comprise one or more group membership lists. 
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98. (Original) The resource server of claim 94, wherein one of said chains of group credentials 
comprise one or more proofs of group non-membership. 

99. (Original) The resource server of claim 98, wherein said proofs of group nonmembership 
comprise one or more group non-membership certificates. 

100. (Original) The resource server of claim 98, wherein said proofs of group non- 
membership comprise one or more group membership lists. 

101 . (Currently Amended) A computer data signal embodied in a carrier wave and 
representing a sequence of instructions that, when executed by a processor in a network 
device requesting a s e rvice one or more resources from a server, in which access to said 
resources is so controlled by said server so as to make them available to members of a nested 
group, configures the network device to operate as a client device that: 

A. obtains one or more chains of group credentials to provid e that prove client 
membership in a the nested group, and 

B. transmits pr e s e nts to the server a request for one or more of the s e rvice one or 
more resources , said request including the one or more chains of group credentials that prove 
membership in the nested group . 

102. (Original) The computer data signal of claim 101, wherein one of said chains of group 
credentials comprise one or more proofs of group membership. 

103. (Original) The computer data signal of claim 102, wherein said proofs of group 
membership comprise one or more group membership certificates. 

104. (Original) The computer data signal of claim 102, wherein said proofs of group 
membership comprise one or more group membership lists. 

105. (Original) The computer data signal of claim 101, wherein one of said chains of group 
credentials comprise one or more proofs of group non-membership. 

106. (Original) The computer data signal of claim 105, wherein said proofs of group non- 
membership comprise one or more group non-membership certificates. 
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107. (Original) The computer data signal of claim 105, wherein said proofs of group non- 
membership comprise one or more group membership lists. 

108. (Currently Amended) A computer data signal embodied in a carrier wave and 
representing a sequence of instructions that, when executed by a processor in a network 
device requesting a s e rvic e one or more resources from a server, in which access to said 
resources is so controlled by said server so as to make them available to non-members of a 
nested group, configures the network device to operate as a client device that: 

A. obtains one or more chains of group credentials to provid e that prove client non- 
membership in a the nested group, and 

B. transmits presents to the server a request for one or more of the servic e one or 
more resources , said request including the one or more chains of group credentials that prove 
non-membership in the nested group . 

109. (Original) The computer data signal of claim 108, wherein one of said chains of group 
credentials comprise one or more proofs of group membership. 

1 10. (Original) The computer data signal of claim 109, wherein said proofs of group 
membership comprise one or more group membership certificates. 

111. (Original) The computer data signal of claim 109, wherein said proofs of group 
membership comprise one or more group membership lists. 

1 12. (Original) The computer data signal of claim 108, wherein one of said chains of group 
credentials comprise one or more proofs of group non-membership. 

113. (Original) The computer data signal of claim 112, wherein said proofs of group non- 
membership comprise one or more group non-membership certificates. 

1 14. (Original) The computer data signal of claim 112, wherein said proofs of group non- 
membership comprise one or more group membership lists. 

115. (Currently Amended) A computer data signal embodied in a carrier wave and 
representing a sequence of instructions that, when executed by a processor in a network 
device configured to controlling control access to one or more resources and provide access 
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thereto to members of a nested group, by a plurality of client d e vic e s configures the network 
device to operate as a resource server that: 

A. acc e pting receives a resource-access r e qu e sts request from the a client d e vic e s , 
said eaefe request comprising including one or more chains of group credentials proving client 
membership in a the nested group, 

B. validates the one or more chains of group credentials, and 

C. if the one or more chains of group credentials are determined to be valid, 
authorizing provides the requested access to the client . 

1 16. (Original) The computer data signal of claim 115, wherein one of said chains of group 
credentials comprise one or more proofs of group membership. 

117. (Original) The computer data signal of claim 116, wherein said proofs of group 
membership comprise one or more group membership certificates. 

118. (Original) The computer data signal of claim 1 16, wherein said proofs of group 
membership comprise one or more group membership lists. 

119. (Original) The computer data signal of claim 115, wherein one of said chains of group 
credentials comprise one or more proofs of group non-membership. 

120. (Original) The computer data signal of claim 119, wherein said proofs of group non- 
membership comprise one or more group non-membership certificates. 

121. (Original) The computer data signal of claim 119, wherein said proofs of group non- 
membership comprise one or more group membership lists. 

122. (Currently Amended) A computer data signal embodied in a carrier wave and 
representing a sequence of instructions that, when executed by a processor in a network 
device configured to controlling control access to one or more resources and provide access 
thereto to non-members of a nested group, by a plurality of cli e nt d e vic e s configures the 
network device to operate as a resource server that: 
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A. acc e pting receives a resource-access r e qu e sts request from the a client d e vic e s , 
said eaeh request comprising including one or more chains of group credentials proving client 
non-membership in a the nested group, 

B. validates the one or more chains of group credentials, and 

C. if the one or more chains of group credentials are determined to be valid, 
authorizing provides the requested access to the client . 

123. (Original) The computer data signal of claim 122, wherein one of said chains of group 
credentials comprise one or more proofs of group membership. 

124. (Original) The computer data signal of claim 123, wherein said proofs of group 
membership comprise one or more group membership certificates. 

125. (Original) The computer data signal of claim 123, wherein said proofs of group 
membership comprise one or more group membership lists. 

126. (Original) The computer data signal of claim 122, wherein one of said chains of group 
credentials comprise one or more proofs of group non-membership. 

127. (Original) The computer data signal of claim 126, wherein said proofs of group non- 
membership comprise one or more group non-membership certificates. 

128. (Original) The computer data signal of claim 126, wherein said proofs of group non- 
membership comprise one or more group membership lists. 
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